Search form

Main menu

Deeplinks

There's good news today for privacy advocates — the Onion reports that Google has developed an exciting new "opt out" program for those who don't want the search giant compiling vast amounts of their personal data:

Those unsure about whether this opt out feature is right for them may want to take action now — tell Google you want privacy protections built in to Google Book Search to ensure the right to read privately in the future. And if the idea of moving to a remote village to protect your privacy is unappealing, consider a donation to support EFF's work defending your privacy.

Today, EFF and the Center for Democracy and Technology submitted comments to the Office of Management and Budget in response to the agency's review of the policies governing the federal government's use of cookies and other web technologies.

The comments are an extension of recommendations we made in May, in which we suggested that the OMB permit cookie-based web analytics so long as the process was carefully overseen and met with specific strict safeguards. Today, we've expanded our recommendations to include the use of cookies for creating individualized web account logins and other common web practices that we understand government webmasters would like to be able to use. Overall, we continue to urge the government to limit the use of any data collected, to eliminate this data as soon as possible, and to seek third-party oversight.

To see the extent to which the current cookie policy creates confusion and allows invasions of citizens' privacy, one need look no further than the ongoing episode surrounding WhiteHouse.gov's use of embedded YouTube videos. In the current WhiteHouse.gov privacy policy, a waiver grants YouTube the right to use persistent cookies, but only "to help maintain the integrity of video statistics." In contrast, YouTube's privacy policy allows for much broader use, claiming license to permanently store data gleaned from WhiteHouse.gov for use in "marketing campaigns." (In June, Google privately told EFF that it had halted this practice and was ignoring cookies from visitors to WhiteHouse.gov — but, since then, we've been waiting for a clear, public statement from Google to confirm or clarify this.)

Today, we've proposed a new and better framework. We thank the OMB for the opportunity to suggest a solution to these problems and hope our comments will be taken into account.

EFF and Public Knowledge this week urged Congress to give American technology users more input in international trade agreements that have broad ramifications for digital freedom. In written testimony submitted to the House Ways and Means Committee, the groups told lawmakers that the U.S. Trade Representative's influential industry trade advisory committee on intellectual property should represent the interests of all stakeholders, and not just IP owners. PK and EFF also called on Congress to amend the Trade Act to change the default rules that allow the USTR to close ITAC meetings and prevent disclosure of ITAC documents to the public.

The current controversy over the proposed Anti-Counterfeiting Trade Agreement (ACTA) demonstrates why this is necessary. Representatives of the MPAA, the RIAA, ESA and BSA have called for treaty provisions that would require Internet service providers to engage in filtering of their customers' Internet communications for potentially copyright-infringing material, force mandatory disclosure of personal information about alleged copyright infringers, and adopt "Three Strikes" policies requiring ISPs to automatically terminate customers' Internet access upon a repeat allegation of copyright infringement. Obviously, these provisions raise serious privacy, due process, fairness and free speech questions that demand public interest input. The USTR has confirmed that members of the industry trade advisory committee on IP have been given access to draft ACTA negotiating texts and provided advice to the USTR. Meanwhile, citizens, and the public interest groups which represent them, have had to rely on leaked documents to understand ACTA's likely affect on them.

As Public Knowledge notes, currently the industry trade advisory committee on intellectual property is composed almost exclusively of representatives from large content and pharmaceutical companies. As international intellectual property norms are increasingly created through closed bilateral and plurilateral trade negotiations, rather than in traditional open multilateral venues like WIPO, it is critical that policymakers obtain balanced input from all affected stakeholders. It's time to correct the imbalance and ensure that trade agreements reflect the interests of all Americans.

Not surprisingly, Amazon’s recent deletion of George Orwell’s 1984 and Animal Farm from its customers' Kindle e-book readers has sparked a class action lawsuit by Kindle users. After all, not only was the remote deletion “stupid,” as CEO Jim Bezos admitted, it also appears to have been a violation of the terms of service for Kindle that Amazon itself drafted.

We’d love to see what a judge or jury would have to say about the situation. Lead plaintiff Justin Gawronski’s story of harm is particularly compelling: he not only lost his copy of 1984, but also the annotations he had been making for a class. (So much for e-books as the future of education -- we bet Justin wishes he had just picked up a copy from his local bookstore and scribbled in the margins). If, however, the prospect of a settlement or judgment looms, there are some things Justin and his fellow plaintiffs might demand to protect not only current Kindle owners, but future ones as well.

As we see it, the heart of the problem is that customers who shell out $300 for a Kindle are not getting the product they expect: a device that will let them do electronically most of the things they expect to do with physical books -- e.g., read them (and re-read them), mark them up, carry them around, and share them with others -- without worrying that a bookseller might reach through and not only delete their books but also monitor and record their activities. It is this combination of powers (tracking, recording, erasing) that makes Amazon look like Big Brother -- and made this act particularly ironic.

The best thing that Amazon could do to match consumer expectations and preserve the basic freedoms and rights that we have with books and magazines and newspapers in the physical world would be to remove all digital right management (“DRM”) restrictions from the content users access through the Kindle and ensure that the device doesn’t otherwise “phone home” to report on readers’ activities. That would allow Kindle users to approximate the rights they would have if they went to a local bookstore or magazine rack, without fear of violating the legal and technical add-ons that the DRM creates. In this case, it would have allowed Gawronski to backup his copy of 1984, with annotations, and thereby protect himself from Amazon’s foolish decision.

If that’s not possible at this juncture -- though we remain confident that eventually book DRM will fall away just as music DRM has -- any settlement or court order arising from this debacle should require the following:

Leave Content on Kindles Alone: Amazon should permanently and irrevocably disable the "feature" that gives Amazon the ability to control, access and delete the books, newspapers and other content its users have purchased. (The Free Software Foundation has launched a petition calling on Amazon to do this.)

Transparency and User Knowledge of Kindle Activities: Amazon should be transparent about both the information it tracks and the control it retains for the Kindle. This involves two things:

Affirmative Disclosure. Amazon should disclose in detail what tracking and control it retains. Right now Amazon’s terms of use are very broad -- giving Amazon nearly carte blanche to track its users-- but also very vague about what exactly Amazon is tracking and what it is doing with the information it collects. For example, Amazon should be required to tell Kindle users, on a regular basis, what information is being sent to the mothership. (Amazon could offer an opt-out option for those who are not interested in this information.) This is exactly what many "crash reporting" tools already do. And it would prevent customers from being surprised to learn that Amazon is tracking their reading habits.

Allow Inspection. Amazon should also eliminate the restriction on circumventing security features that currently threatens the ability of readers to know what their own devices are doing and reporting about their activities. Right now, consumers don’t know -- because Amazon has refused to disclose -- what other creepy, unreasonable or dangerous “features” Amazon has hidden inside their Kindles. Not only should Amazon tell users, but users should be able to check for themselves to ensure that Amazon isn’t engaging in any “mission creep” and also to protect themselves against security flaws and vulnerabilities that are all too common in digital devices.

Limit Disclosures: Amazon should change its privacy policy, which currently gives it broad rights to disclose the information it collects about Kindle users to the government or others without a warrant or a court order. Amazon’s policy should better reflect the strong privacy protections that bookstores have long fought for and won.

Notice of Changes: Amazon should commit to advising customers of any changes in the terms of service by showing a pop-up screen describing the change, in plain language whenever the device first connects to Amazon after a change.

Sales Are Sales: Amazon should respond to customer expectations by adding language to clarify that all books, magazines and newspapers are not licensed but rather sold, and may be disposed of at the purchaser’s discretion.

No Forced Updates: Amazon should allow Kindle users to choose which "updates" they wish to install and should ensure that all security and other core functionality updates work with all previous versions of the software.

User Control of User Creations: Amazon reserves the right to discontinue at any time the “Service” that allows Kindle users to backup their annotations and highlights, which means Kindle users could lose those notes. For some users, these annotations could be as valuable as the books themselves. Amazon should provide users with the option of creating a personal backup copy of their annotated books for their laptops.

None of these measures is a perfect solution on its own, and several arguably go beyond the specific harm caused by the 1984 debacle. Still, taken together, they would help reassure buyers of e-books that they are getting what they expect: a text that is as good or better than its paper counterpart. We’ll be watching the Kindle lawsuit closely to see how many of these are implemented as part of a settlement or court decision. Better yet, Amazon should go ahead and implement them on its own.

There's an entertaining clip from Glenn Beck's Fox News program making the rounds on the Internet lately, featuring this language from the Terms of Service for the "Cash for Clunkers" program:

This application provides access to the [Department of Transportation] DoT CARS system. When logged on to the CARS system, your computer is considered a Federal computer system and is the property of the U.S. Government. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed... to authorized CARS, DoT, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign.

While this language was accessible only by registered dealers, and not the public (and has apparently now been removed), it nevertheless is a shocking example of the kind of problems that can come with click-through agreements written by faceless lawyers and basically imposed on the rest of us. No one should ever try to force you to "agree" that accessing a government website turns your computer into a government computer or gives up your privacy rights in the other contents of your computer.

This hopefully careless language demonstrates the concerns that EFF has long raised about the creeping reduction in user privacy and rights online that we see through various means, including terms of service, cookies and even the “phone home” nature of some of our devices like the Amazon Kindle. This sort of contracting away of our privacy and rights is bad enough when companies do it — it should be off limits for government.

Unfortunately, the commentary of Fox anchor Kimberly Guilfoyle was also wrong about the scope of the privacy issues:

They are jumping right inside you, seizing all of your personal and private information, and absolutely legal, Glenn, they can do it... They can continue to track you, basically forever, once they've tapped into your system, the government of course has, like, malware systems, and tracking cookies, and they can tap in any time they want.

Clicking "continue" on a poorly worded Terms of Service on a government site will not give the government the ability to "tap into your system... any time they want." The seizure of the personal and private information stored on your computer through a one-sided click-through terms of service is not “conscionable” as lawyers say, and would not be enforceable even if the cars.gov website was capable of doing it, which we seriously doubt. Moreover, the law has long forbidden the government from requiring you to give up unrelated constitutional rights (here the 4th Amendment right to be free from search and seizure) as a condition of receiving discretionary government benefits like participation in the Cars for Clunkers program.

The problems with overreaching terms of service are real, and EFF has been working hard to combat them, especially when your privacy is at stake. Companies and government departments repeatedly sow the seeds of confusion, concern and outrage when they sneak catch-all terms into the small print. Our ToSBack site tracks these agreements and allows the public to find out what they say and track their changes over time. But terms of service agreements don’t go as far as allowing the government ongoing, free range into your personal computer with a single mouse click. At least not yet.

As has been widely reported, the National Portrait Gallery of London (NPG) recently sent a legal threat to an American Wikipedian, Derrick Coetzee, over his posting approximately 3,000 photos of public domain paintings to Wikipedia. Because of the importance of this issue for the public domain and the Internet generally, EFF has taken Mr. Coetzee as a client.

Here's the issue at the heart of this dispute: does something have to be in the public domain in every country on the planet before it can be posted to the Internet anywhere?

According to NPG, Mr. Coetzee copied digital photos from NPG's website and uploaded them to Wikipedia (where they are still available). Everyone agrees that the photographs are of public domain paintings in NPG's collection (e.g., this portrait of William Blake painted in 1807). It's also clear under U.S. law that simple reproductions of public domain paintings are themselves not copyrightable, since they lack any "originality" beyond the "sweat of the brow" of the photographer. NPG's lawyers argue that the rule is different under UK copyright law (although there is reason to doubt that it's as clear as NPG suggests) and that Mr. Coetzee is therefore a copyright infringer. NPG also makes several other claims, including that Mr. Coetzee has violated their website's "browsewrap" terms of use, that he violated the NPG's database right by extracting the images from their website, and that he has circumvented a technological measure (apparently Zoomify, which is no longer used on NPG's website) in violation of the UK's version of the DMCA.

As we explained to NPG in a letter sent on July 20, it's quite clear under U.S. law that Mr. Coetzee did nothing wrong -- as far as U.S. law is concerned, the photos are not copyrightable, the NPG website's "browsewrap" contract is unenforceable, there is no "database right," and using Zoomify on public domain images doesn't get you a DMCA claim. It's also clear that everything he's alleged to have done took place on his computer and Wikipedia's computers, none of which are in the UK.

In the offline world, that would certainly be the end of the matter. If Mr. Coetzee had flown to London, purchased posters of the same paintings at the museum store, brought them home, and started making copies for his friends, it's clear he would be well within his rights in doing so.

Why should the answer be different simply because he posted the photos to Wikipedia? NPG seems to think that UK law should apply everywhere on the Internet. If that's right, then the same could be said for other, more restrictive copyright laws, as well (see, e.g., Mexico's copyright term of life of the author plus 100 years and France's copyright over fashion designs). That would leave the online world at the mercy of the worst that foreign copyright laws have to offer, an outcome no U.S. court has ever endorsed.

The FCC has sent a trio of letters to Apple, AT&T, and Google seeking information about Apple's recent decision to block Google Voice apps from Apple's iPhone App Store. We're pleased that Chairman Genachowski's FCC is taking wireless competition seriously, and hope that it also looks into similar discriminatory treatment that has affected iPhone apps from others, such as Skype, Mozilla, and Sling Media.

When a dominant hardware platform vendor teams up with a dominant network services provider, and then selectively blocks or hobbles software applications on the platform, consumers should smell an anticompetitive rat. After all, if Microsoft had a veto right over every app that ran under Windows, and used that power to selectively ban competitors who "duplicate" functionality offered by Microsoft's own apps, we'd expect competition regulators to be up in arms. The combination of Apple's veto power over the iPhone apps market and AT&T's handset exclusivity arrangement with Apple should also have consumers and regulators on their guard. (In order to unshackle consumers from the technical restrictions built into the iPhone, EFF has petitioned the Copyright Office to get "jailbreaking" and "unlocking" out from under the DMCA.)

And Apple hasn't been shy about their anticompetitive motives, either. For example, Apple told the developer of GV Mobile (one of the Google Voice apps that got the axe last week) that his app was being removed for "duplicating features that the iPhone comes with." Apple has given the same anticompetitive rationale tootherappdevelopers in the past. And the company also continues to block Firefox and all other alternatives to its own web browser technology on the iPhone. Other applications, including Skype and Sling Player, are hobbled to work only on WiFi, while other bandwidth intensive video applications continue to work on-the-go over AT&T's 3G network (those who have jailbroken their iPhones can restore 3G access to Sling and Skype).

It would be nice if the FCC asked Apple and AT&T to justify all of these app rejections, and also throw its weight behind EFF's DMCA exemptions, which aim to restore some consumer choice for iPhone owners.

EFF today released an Interim Report on the Automated Targeting System (ATS) through which the Department of Homeland Security monitors and assigns risk assessment scores to Americans and others who cross into or out of the United States. The data reviewed under the ATS system includes seven large government databases, plus the Passenger Name Record data from the airlines (which includes data like whether you've ordered a Muslim or Hindu or Jewish special meal). Effectively, if you travel internationally, ATS creates an instant, personal and detailed dossier on you that CBP officers use to decide whether you get to enter the country, or will be subject to an enhanced (and potentially invasive) search. EFF's report details what we've learned about the ATS program from the over 2,000 pages released by the government so far. We note that because of government's very heavy redacting and refusal to release key information Americans remain in dark about how this powerful system is used on travelers. EFF's Interim report was written by Shana Dines.

DHS has continued to release documents to EFF so we'll update the report as additional useful information comes out.